Re: Bogus nic.fr behavior

["D. J. Bernstein" <djb@cr.yp.to>]

Nilsson writes:
> TCP and UDP are mandatory, regardless of query size.

False. RFC 1123 _recommends_ TCP. Query size was explicitly identified
as the reason for this recommendation: the authors believed that new DNS
record types would someday require packets larger than 512 bytes.

Of course, TCP is required for zone transfers, but zone transfers aren't
required for servers. A pure secondary server, or a primary server that
uses (say) rsync for replication, doesn't need outgoing zone transfers.

I recommend against TCP service on DNS servers that don't need it. TCP
makes the machine unnecessarily vulnerable to denial-of-service attacks:
opening a bunch of TCP connections will chew up memory and slow down UDP
service much more effectively than a UDP flood at the same speed would.

> it is far more likely that a generally mis-managed server would fail
> there (and in localhost reverse) than a server that is correctly managed.

Perhaps that's true for BIND. But my DNS server goes to great effort to
help new DNS administrators create correct configurations, and it does
_not_ provide lame root information by default. As I said, there's a
cost to keeping that information up to date.

> Also, most people still fail to understand the difference between name
> serving and caching resolver.

My software follows the RFC 1035 model and separates these two services.
The cache and the server run on separate IP addresses, exactly as ISPs
have learned to do with BIND. Do you want to penalize software that does
things right?

---Dan